CEIC 2015 is just a few weeks away and we’re excited to meet with you face-to-face on the show floor and in the conference sessions earmarked for cybersecurity and incident response professionals. If your cybersecurity journey seems to grow more complicated with each passing CEIC event, this is the year you won’t want to miss.

Incident response as a discipline is still largely misunderstood and under-implemented, mainly because enterprises struggle to understand the changing security landscape and the need to be prepared for the inevitable cyber attack. To help you better understand these changes, we've developed new sessions and labs for CEIC 2015 to help you take incident response to the next level.

You’ve seen it in a dozen movies: a character commits a
crime, is ID’ed on security camera footage, then dyes her hair to alter her appearance
in hopes of evading capture. The m.o. is the same for polymorphic
malware—malicious software that’s constantly evolving or changing in order to
evade signature detection or blacklisting solutions. Although it’s not a new
addition to the hacker’s arsenal, the use of polymorphic malware has lately become a
favorite and highly dangerous tactic of organized cyber crime groups.

Black hats know that, if you change code enough, it will be
unrecognizable to intrusion prevention systems that rely on code “signatures”
or hashes. This is why we created and patented the Entropy Near-Match Analyzer—part of EnCase Cybersecurity—a few years back: to help incident responders find polymorphic variants of
binaries based on a different type of measurement.

There’s a renewed weapon of malware destruction in the
fields of war, and it goes by the name “Machete.” A targeted attack campaign
that kicked off in 2010 and now boasts an improved infrastructure, Machete has
mostly hit victims in Ecuador and Venezuela, with a smattering of victims in
other countries from the U.S. to Malaysia. Some of those affected are reportedly
military and intelligence organizations, embassies, and government agencies.

Machete is
cyber-espionage malware that can log keystrokes, capture audio from a
computer’s microphone, grab geolocation data, and copy files to a remote server
or even to a special USB device, among other things.

The most recent Verizon Data Breach Investigations Report (DBIR) revealed that crimeware is a serious problem for the construction, information, and utilities industries, representing over 30 percent of incidents. Among the most devilish in the ransomware trojan category is CryptoLocker.

How CryptoLocker Works
CryptoLocker arrives as a ZIP file attached to a seemingly innocent email. Once unzipped, the malware installs its payload in the user profile folder, adds a key to the registry to initiate run on startup, then starts phoning home to a command-and-control server. After connection, the server pushes out a 2048-bit RSA key pair and sends the public key back to the computer, encrypts files across local hard drives and mapped network drives with the public key, and logs each encrypted file to a registry key. At that point, the user gets a message that his or her files have been encrypted and a Bitcoin ransom is demanded.

You will never see an alert from your security information
and event management (SIEM) tool for a zero-day attack. There is no signature in your blacklist for
the malware that was custom-built for your organization and secretly colonized
your mail server a month ago. No indicator, no pattern match, no alert.

Why is this the case? Because malware is constantly
morphing, and because the sophisticated and dedicated minds under those black
hats are working night and day to design a data breach specifically for each
organization it decides to invade. When it hits you, it will be the first time
its signature has ever been seen.

Ale Espinosa
This post is not suited for the faint-hearted … especially those wearing a medical device.

The U.S. Food and Drug Administration (FDA) has issued cybersecurity recommendations for medical device manufacturers and user facilities, hospitals, health care IT and procurements staff, and biomedical engineers, following news of security issues in certain fetal monitors and software used in body fluid analysis.

According to the FDA’s safety communication issued last week, there are strong concerns regarding medical devices and hospital networks’ vulnerability to malware, as well as with the unauthorized access to their configuration settings. Among the devices and systems at greater risk are those that are network-connected or configured, hospital computers, smartphones and tablets, and password databases, among others.

Jessica BairThe “Road to CEIC 2013” is a series of blog posts on all things CEIC, before, during, and after, from an insider’s point of view.

Are you an EnCase® Enterprise user who'd like to learn how to automate your network-enabled incident response? Or, perhaps an experienced EnCase® examiner looking for a career change or career enhancement? If a more complete approach to incident response is on your task list, you should attend Cybersecurity 101 with Josh Beckett, product manager for EnCase® Cybersecurity, at the CEIC 2013 Cybersecurity and Compliance Lab. This hands-on lab will demonstrate the basics of using EnCase Cybersecurity, as Josh walks through the major use cases of how the software will assist you in both incident response and compliance management roles; and how to implement it into your organization’s processes.

Anthony Di BelloMost people are familiar with the phrase Fog
of War, which refers to the uncertainty present in the heat of
military operations. That same “fog of war” is also present in the cyber
battlefields of today. Without the right insight, it’s next to impossible to
tell what constitutes an attack, let alone what attacks have successfully hit
their endpoints. Today’s advanced threats are multi-dimensional, rapidly evolving
and stealthy.

And they often hit endpoints quickly,
sometimes through little known zero day vulnerabilities found in browsers,
operating systems, and other applications, they’ll sit clandestinely and await
instructions, which may be to exfiltrate data of value, burrow deeper into the
infrastructure, launch attacks on others, or wait for a more opportune time to
strike.

It may be startling to many, but faith in
traditional defenses to fight these attacks is often misguided as anti-virus,
intrusion detection and prevention systems, firewalls, and other old-line
defenses fail to block, let alone identify these attacks and provide quick
visibility into what is occurring on their network.

Guidance Software has recently partnered
with FireEye, Inc. to help clear away the fog by integrating communications
between their Malware Protection System (MPS) Appliances, which analyzes and
protects network traffic with our EnCase Cybersecurity software, which secures
the endpoint. Together, the two solutions provide a clear view into attempted
attacks.

One of the first things customers of our
partner FireEye explain, as soon as they install the FireEye MPS Appliance, is
that they can suddenly see things they couldn’t see before, such as numerous
bad outbound and inbound communications they previously had no idea were
underway.

But seeing the threats is much different
than being able to understand precisely what they’re doing on the endpoint.
Security and IT managers need to know if malicious traffic is a threat to their
networks and infrastructure, and if any of these attacks have successfully
compromised an endpoint.

This is where the FireEye-Guidance
relationship comes in. When the FireEye MPS Appliance identifies nefarious
traffic, the integration with EnCase Cybersecurity makes it possible to
automatically validate if the attacks detected over the wire had successfully
penetrated into any systems attached to the network.

This integration between FireEye and EnCase
Cybersecurity provides customers with everything they need to scope and remedy
compromised endpoints.

To achieve this we’ve built an Enterprise
Service Bus (ESB), a way to communicate, with other technologies. With the new
integration, EnCase Cybersecurity listens for FireEye MPS to report on detected
events via an XML feed that is translated by the listener service. With just IP
address information and hash values related to the FireEye detected event, EnCase
Cybersecurity will first validate whether or not the attack successfully compromised
the indicated endpoint(s). Once it confirms the presence of malware, additional
information related to the attack with be collected and presented to the
security analyst via a thin client review capability. By capturing attack artifacts
and indicators in this manner at the time of the alert, the security team can
be confident that have a complete picture of the attack, and a wealth of
information for which to triage, determine risk exposure, and accelerate
remediation efforts.

Without this network to endpoint view
provided by the FireEye MPS Appliance and EnCase CyberSecurity, there’s no
realistic way to tell if exploits and attacks are harmless to an infrastructure
(such as exploits targeting an OS that is non-existent on a network), or if
some other countermeasure such as a firewall rule or intrusion-prevention
system has successfully blocked an attack.

Additionally, EnCase Cybersecurity, is
grabbing all of the data about the state of the machine, including what
processes are running in RAM, what services and system libraries are running,
who is authenticated to the machine, and more. With that information, the
security analyst not only understands what systems are truly at-risk, but they
know what they need to know to more deeply understand the attack and what is
truly at-risk.

What this coupling of FireEye and EnCase technology
does is clear much of the fog associated with all of the data that pounds
security analyst management console screens everyday. And it makes it possible
for them to make clear, well informed decisions all the way through remediation. For more information about the
Guidance Software and FireEye collaboration, check out our press release, and download the datasheet.

We’ve
highlighted in numerous posts that studies
of security incidents
and publicly
disclosed breaches
reveal that it’s all too common for attacks to go unnoticed for days, weeks,
months, and even years. And, nearly as troubling, it’s rarely the breached
organization that discovers that it’s been compromised – rather it’s usually a
customer, partner, supplier, or even law enforcement that eventually notices
something is awry and brings it to victims’ attention.

All
of that was certainly true with the South Carolina Department of Revenue attack
that we covered here. In this incident,
the post-breach investigation found that the compromise occurred in
mid-September and wasn't detected until mid-October. And when it was detected,
it was done so by the United States Secret Service, which happened to be
conducting a sting against the group that was responsible for the attack.

So
what happened regarding this breach? As we learn more, it’s clear that time was
working against the South Carolina Department of Revenue. To be fair, this is
true for all targeted attacks. Take a look at the illustration below, from the 2012
Verizon data breach investigation report, which accurately demonstrates the
scope of this challenge. The data in the figure below are the result of
thousands of investigations that were conducted last year both by Verizon and a
number of government agencies from multiple countries, including the United
States Secret Service.

When
looking at the various time spans between attack and response in all of those
incident investigations, disturbing patterns emerge. Specifically, patterns
appear when attack life cycles are segmented into four stages: the time between
initial attack and compromise; the time between the initial compromise and data
being stolen from the target; the time between that compromise and the point at
which it was discovered; and finally the time between the discovery of that
compromise and remediation.

The
data find that attackers can exfiltrate data at best in a matter of hours, or
days, and at worse in a span of only minutes. Once in, attackers have shown
again and again that they have the ability to begin exfiltrating data as soon
as they’ve compromised a system.

And
this isn’t just a handful of organizations; it is thousands. This proves that
the status quo provided by traditional security software simply isn’t good
enough. And the reality is that after attackers have had weeks, or months, to
rummage through a network, simply wiping servers and endpoints isn’t going to
rid the infection. The attacker has had too much time to plant backdoors and
create ways to burrow back in.

Identify
unknown, suspicious behaviors

What’s
needed are ways to identify unknown, suspicious behaviors on endpoints. This is
best achieved by performing periodic assessments designed to expose unknown
running applications that exist in temporary memory; instances of known threats
that morph (such as the Zeus banking Trojan); and the ability to conduct
ongoing scans for variants of such threats in order to fully understand and
address the scope of a successful attack against your infrastructure.

Additionally,
and in order to reduce your attack surface, you also need to be able to audit
endpoints for sensitive data, which in all likelihood, are the target of the
attackers’ activity. By limiting pools of sensitive and confidential data, you
can significantly reduce risk.

EnCase
Cybersecurity helps in many of these efforts. First, EnCase Cybersecurity
conducts network-wide system integrity assessments against a known good
baseline that has been established. Essentially, what you are doing is
performing regularly scheduled audits for anomalies across the range of
endpoints. And it works because, while you don’t know what the unknown looks
like, you do know what the baseline looks like. This allows you to look at
everything that doesn’t match that baseline, so you then can decide whether
it's something that's good (and should be added to a trusted profile), or if
you've been exposed to a malicious attack that needs to be remedied and added
to known bad profiles for future integrity audit scans.

How
does EnCase Cybersecurity achieve this? It does so by leveraging the concept of
entropy for similar file scans. Consider it a very fuzzy signature, but not an
exact match, that the system is assessing. It doesn’t matter what kind of files
are being evaluated – EnCase Cybersecurity will expose the files and processes
used by advanced attacks that are easily missed by traditional security
technologies, such as intrusion detection systems and anti-malware software.

We’ve
recently completed a webinar on this topic, Hunt
or be Hunted: Exposing Undetected Threats with EnCase Cybersecurity, that provides
much more detail about how EnCase Cybersecurity helps to defend against
advanced, clandestine attacks. I invite you to watch, and learn how your
organization can proactively ferret out any possible breaches before it’s too
late and attackers have had time to entrench themselves into your
infrastructure.

Anthony Di BelloOne of the biggest security conferences
of the year is an important reminder on just how creative your adversaries can
be.

Whenever I go to Black Hat USA security
conference in Las Vegas,don’t know
whether I feel more knowledgeable about the state of IT security - or if I’m
more concerned. Honestly, it’s probably a little bit of both. This year’s show
was no different.

One of the more frightening items of
research this year will certainly give hotel-goers around the world something
to think about. Security researcher Cody Brocious revealed in his presentation
just how easy it is to pick hotel electronic locks. The researcher demonstrated how certain types of hotel locks can be
bypassed to gain access to the room using little more than the open
source portable programming platform known as Arduino.

Another very interesting bit of research
came from two university researchers who managed to create a “replicated eye”
that is capable of fooling iris biometric scanners into allowing
authentication. The team printed synthetic iris image codes of actual irises
stored in a database. You can read more about their research here.

Even Microsoft’s upcoming operating system
didn’t get through the conference unscathed, with a researcher highlighting ways the security of the operating system can be bypassed,
such as applications being able to hijack Internet access rights of other
applications, and other potential vulnerabilities. While the researcher says
Windows 8 has many security benefits over its predecessors, there will still be
zero-day vulnerabilities just waiting to be found.

And in the days after Black Hat at DefCon,
a 10-year old hacker was recognized at the very first DefCon Kids, an overlay at DefCon, for finding
a way to exploit mobile apps via the manipulation of the device’s system
clocks.

Other interesting research included tools
that made it possible to circumvent web application firewalls, the ease in
which database permissions can be bypassed, and a growing number of known ways
to hack smartphones.

All of this goes to show that the
imagination (and age!) of attackers has no limits. And, inherently, no system
can be trusted to be fully secure and impenetrable. As someone who has spent so
much time in the IT security industry that’s a humbling reminder that no matter
how much we focus on prevention - someone will always be able to figure and
make their way through the walls we’ve put in place.

This makes it essential that organizations
be able to identify any potentially nefarious changes and unknown data or
processes in their environment. That means, of course, enterprises need to know
what their systems look like when pristine and healthy. That’s the only way to
be able to spot the unknown in the environment, and be able to clamp down on
the attack as soon as is possible. And that’s an important part of the
philosophy behind EnCase Cybersecurity.

It also means that a focus on incident
response is as important as ever. It’s the organizations that can identify,
clamp down upon, and successfully mitigate the damage of breaches that will, I
believe, prove to be the most effective at information security. And effective
incident response is a subject we just treated at some length.

Given the fact that DNS Changer, 5-year-old malware designed
to redirect traffic from infected users, still infects an estimated 58 of the Fortune 500 and at least 2 government agencies – it’s safe to say
IT and IS staff cannot entrust users to oversee the security of their
corporate/government issued devices. While the warnings
have been loud
and clear, and there are detection and cleanup tools available, it’s no fault of
their own — most employees aren’t paid to spend their day ensuring that their
computer is free of malware.

Unfortunately, for threats like DNS Changer, the detection
and cleanup tools require physical access to any given machine in order to
address the problem, and in any enterprise spanning multiple locations, or with
remote employees, this poses a challenge for the information security
team.

Fortunately, there are tools and just enough publically available
information to overcome this challenge. As mentioned above, the DNS Changer
malware modifies device DNS tables to redirect the computer to fraudulent DNS
servers. As such, the FBI has been kind enough to provide the ranges for fraudulent
IP address that are being injected into the DNS tables of infected computers:

This information, coupled with cyber response technology like
EnCase Cybersecurity, allow information security teams to rapidly audit the DNS
tables on devices across the enterprise, exposing any device containing
reference to a fraudulent DNS entry for a rapid, definitive understanding of
any devices infected with the DNS Changer malware. At which point, the
information security team can take proper steps to remediate the malware.

A view of a device DNS table as seen by EnCase
with IP addresses associated with various DNS entries called out. An audit of
these tables network-wide with EnCase Cybersecurity can be used to expose the
effects of DNS Changer via known fraudulent DNS table entries.

While modern threats such as DNS Changer have learned to
evade traditional signature-based defenses, these threats still leave traces of
their effect somewhere on the target device whether on the hard disk, or in
memory. Forensic response technologies like EnCase Cybersecurity are designed
to rapidly audit the enterprise for these artifacts, enabling security teams
with a full and accurate understanding of the scope of any incident, as well as
the information to empower complete remediation of those threats.

When thinking about the value of incident response, most people
focus on how it limits the potential damage of recent attacks, or even attacks
that are currently underway on the network. This is for good reason: proper
incident response can help reduce risk, limit the scope of disclosures (should
the investigation show that no PII was actually accessed, for instance), reduce
the costs of each incident investigation, and cut the costs of breaches
significantly.

Yet, what many don’t consider is how the information that is
gleaned from the investigation can not only go a long way to understanding the
source and scope of any specific incident, but that these findings can also
provide the valuable insight needed to shore up defenses for future attacks.

Consider some of the findings of the 2012 Data Breach Investigations Report, a study conducted by the Verizon RISK Team. It found that 81% of
breaches occurred through some form of hacking, and most by external attackers.
Additionally, nearly 70% of attacks incorporated some type of malware, and many
used stolen authentication credentials and also left a Trojan behind on the
network as a way to gain re-entry.

If, for instance, you were breached in that way you’d know to
keep a close eye for any suspicious logins (such as time, geographic location,
failed attempts, etc.), as well as any files or network communication that
aren’t normal in the environment. Yes, you should be taking care of those
things anyway, but if you know you are being targeted, or have been recently
targeted - it doesn’t hurt to tune the radar to look for such anomalies.

One thing about security is that system defense is often like
squeezing a water balloon, when you squeeze and tighten in one place, it gets
bigger someplace else. So as you harden certain areas of your infrastructure,
it’s likely that attackers will quickly target another area. That’s why it’s
important to consistently analyze security event data: Especially data from the
most recent incidents and breach attempts.

Here’s a sample of ways incident data can help you thwart future
incidents:

Data gleaned from incident investigations can provide a complete
understanding of an incident and will inform IT security exactly how an
attacker managed their way onto a system or network as well as how they
operated once inside. Ideally, the collection of such data should be automated,
to ensure real-time response before attack related data has a chance to disappear.
Event related data that can be gathered in such a way gives analysts useful
indicators they can use to quickly understand the spread of malware throughout
their organization without having to go through the time-consuming task of
malware analysis. This type of data includes ports tied to running processes,
artifacts spawned by the malware once on the endpoint, logged on users, network
card information and much more.

With this knowledge, you gain the ability to conduct conclusive
scope assessment, blacklists can be maintained to protect against reinfection
and other specific defenses against similar attacks in the future can be
developed. For example, if you see more attacks through infected USB devices,
it may be necessary to block such devices. If there are a number of phishing
attacks, an organization can launch an employee
awareness campaign. If it’s an attack against certain server services
left on, close them when possible and put in place mitigating defenses. You get
the idea: Use what you learn to harden your infrastructure.

Data from the response can be used to develop signatures specific
to your own intrusion detection systems and even used to tune alerts sent by
your security information and event management system. That same data can be
shared with anti-virus vendors so that they can craft specific signatures
against new threats. For instance, an organization may be the only one to
experience a particular kind of attack, or the attack may be vertical specific,
but a thorough incident response process may be the only way to obtain data
needed for a signature to protect one’s own systems and those of the community.

The investigation may indicate the attack came through a supplier
or partner, or through a path within the organization once thought to be
secure. With the right information steps can be taken to notify the breached
partner, or potentially close security gaps you didn’t know existed on your own
systems.

It now should be clear, when considering the value of incident
response, that it’s important not to view this data in a vacuum, and that the
processes in place can not only to contain the damage of the incident at hand,
but make sure the data gathered is used for lessons learned and incorporated to
make one’s infrastructure more resilient to future attacks.

It seems the torrent of data breach news never lets up. In 2010, according to the Open Security Foundation’s Data Loss Database, there were 555 breaches affecting nearly 27 million records. And while the number of incidents fell to 369 this year (so far, the year isn’t over as this is written), a staggering 126.7 million records have been affected.

The number of breached records isn’t the only statistic that is up. The most recent Ponemon Institute U.S. Cost of a Data Breach Study report, published in March of this year, found that the cost of breaches per record also is climbing. The report, which looked at 2010 data, found the cost per record to be $214, up $10 when compared to the previous year.

Why is the number of records compromised rising, along with the cost of breaches? There are no easy answers. Of course, more institutions are using electronic records today than ever before – and they’re also operating under stricter regulatory compliance mandates that require notification. Those are probably two very important reasons.

Another is the greater complexity of today’s networks. There are more servers, databases, and applications managing our data across more and more networks.

This makes it very challenging to quickly identify potential breaches as they’re just getting underway.

As networks grow more complex, with more interactions with more network infrastructure and applications, the number of potential security events to monitor also rises. In order to better manage the associated risks – and quickly clamp down on breaches as they’re occurring – IT security teams need to deploy more security defenses and to monitor everything from network access to network and web traffic to application usage.

This heightened level of security monitoring means, of course, that security teams will receive tens of thousands – for large organizations perhaps hundreds of thousands – of security alerts from their Security Information and Event Management (SIEM) system every day. This makes it incredibly difficult to prioritize and respond to those events that matter. In fact, obtaining information about endpoints (where many breaches originate) that can be acted upon in a reasonable period of time is next to impossible.

This lack of visibility into real-time endpoint security activity significantly intensifies enterprise risk by both increasing the probability that successful attacks go unnoticed, and that security teams are hampered from doing their jobs effectively.

What IT security teams need is quick access to endpoint data to reduce risks. Because endpoint data tends to decay, or change very often, by the time security teams get to see the alerts that come from their SIEM, it’s often many hours or days too late to respond.

What’s needed for SIEMs to be more effective is the ability to integrate endpoint incident response into SIEM alerting. For example, our EnCase® Cybersecurity automates the incident response process by enabling the augmentation of rules into one of the most well established SIEMs, HP ArcSight. This integration makes it possible for EnCase® to capture the necessary data right on the endpoint as soon as possible. For example, if a user who is authorized to access the network attempts to access unauthorized applications or resources, EnCase® Cybersecurity can be configured to capture relevant system information at the very time that undesirable event occurs. This ensures an accurate view of exactly what activity was underway at the time the user attempted to access the unauthorized resources.

Additionally, as alerts from security defenses are generated and captured by the SIEM, EnCase® Cybersecurity can be configured to immediately take memory and system information snapshots of all hosts involved in the event. This ensures a real-time glimpse into the state of the computer at the time of the alert, revealing known, unknown, and hidden processes, as well as running DLLs and network socket information.

And with that kind of information in the hands of the IT security team, it then can prioritize and address the biggest risks before substantial damage occurs. If more organizations had these capabilities in place, the number of breaches, affected records, and the total cost of the breaches will likely go down.

Anthony Di BelloChad McManamyOn October 13, the Division of Finance at the Securities and Exchange Commission (SEC) released “CF Disclosure Guidance: Topic No. 2 - Cybersecurity” representing the culmination of an effort on behalf of a group of Senators led by Senator Jay Rockefeller to establish a set of guidelines for publicly traded companies to consider when faced with data security breach disclosures. The concern from the Senators was that investors were having difficulty evaluating risks faced by organizations where they were not disclosing such information in their public filings.
According to the SEC in issuing the guidelines, "[w]e have observed an increased level of attention focused on cyber attacks that include, but are not limited to, gaining unauthorized access to digital systems for purposes of misappropriating assets or sensitive information, corrupting data, or causing operational disruption." And while the guidelines do not make it a legal requirement for organizations to disclose data breach issues, the guidelines lay the groundwork for shareholders suits based on failure to disclose such attacks.

The guidelines come on the heels of number of recent high-profile, large-scale data security breaches including those involving Citicorp, Sony, NBC and others – many of which have affected organizations around the world. A catalyst for the regulations is found in part in many organizations failure to timely report, or complete failure to report, their breaches. To curb any future disclosure issues, the SEC released the guidelines ordering companies to reveal their data security breaches.

As stated in the guidance notes, “[c]yber incidents may result in losses from asserted and unasserted claims, including those related to warranties, breach of contract, product recall and replacement, and indemnification of counterparty losses from their remediation efforts.”

“Cyber incidents may also result in diminished future cash flows, thereby requiring consideration of impairment of certain assets including goodwill, customer-related intangible assets, trademarks, patents, capitalized software or other long-lived assets associated with hardware or software, and inventory.”

Consistent with other SEC forms and regulations, organizations are not being advised to report every cyber incident. To the contrary, registrants should disclose only the risk of cyber incidents “if these issues are among the most significant factors that make an investment in the company speculative or risky.” If an organization determines in their evaluation that the incident is material, they should “describe the nature of the material risks and specify how each risk affects the registrant,” avoiding generic disclosures.

The SEC indicated that in evaluating the risks associated with cyber incidents and determining whether those incidents should be reported, organizations should consider:

-- prior cyber incidents and the severity and frequency of those incidents;

-- the probability of cyber incidents occurring and the quantitative and qualitative magnitude of those risks, including the potential costs and other consequences resulting from misappropriation of assets or sensitive information, corruption of data or operational disruption; and

-- the adequacy of preventative actions taken to reduce cyber security risks in the context of the industry in which they operate and risks to that security, including threatened attacks of which they are aware.

Rather than exposing new obligations for organizations, the SEC guidance highlights what company executives already knew about their obligations to report cyber incidents but may not have fully appreciated. The true lynch pin for every organization will be the determination of materiality and making the decision on which breaches gets reported and which do not. As such, public companies will also need to weigh real-world business risks specific to their particular market associated with incidents. For example, “if material intellectual property is stolen in a cyber attack, and the effects of the theft are reasonably likely to be material, the registrant should describe the property that was stolen and the effect of the attack on its results of operations, liquidity, and financial condition and whether the attack would cause reported financial information not to be indicative of future operating results or financial condition," the statement says.

Cybersecurity threats will continue to proliferate for companies of all sizes around the world. Failing to protect sensitive company data will pose an even greater risk going forward, so too will the legal implications for failing to disclose those material cyber incidents. A proactive, timely approach to prevention of cyber incidents represents the best case scenario for all organizations. Guidance Software’s Professional Services team and partners can help. Our consultants can help expose unknown risks in your environment, remediation of those risks, as well as provide prevention techniques designed to give your organization an active defense and knowledge against possible attacks unique to your organization.

Chad McManamy is assistant general counsel for Guidance Software, and Anthony Di Bello is product marketing manager for Guidance Software.

The article discusses the value that SIEM solutions provide: they scan logs in real-time looking for anomalies, discover security events and can show where things are happening on the network. But they do have a shortcoming – they lack the next step which is response. That’s where Guidance Software’s EnCase® Cybersecurity comes in. EnCase® Cybersecurity is able to identify the root cause of the event and help IT administrators respond quickly, closing the gap between alert and response.

Kevin writes, “Today’s hacker likes to get in and hide himself. He thinks he can go undetected (and often can and does) while he infiltrates deeper into the network looking for the most valuable data. Hacking comes with its own latency – and you need to use that latency between infiltration by the hacker and exfiltration of your data in order to stop him…SIEM plus forensics has the potential to improve the SIEM and, by reducing the time to remediation, to defeat the hacking latency.”

An additional problem is that IT security is a 24x7 job. When the SIEM solution triggers an alert in the middle of the night, response can’t wait. Frank provided Kevin with an example of how EnCase® Cybersecurity can help:

“One of the filtering systems picks up that something is happening that shouldn’t. It reports it to the SIEM. Correlation with other alerts indicates that it’s potentially a serious incident. ‘But what do you do if it’s 2:00am. Or it’s just part of a whole series of other alerts happening at the same time? Well, the SIEM can now trigger EnCase® Cybersecurity Solution to automatically and immediately dive in and do an investigation. We can capture who is on the machine in question, what applications are running at the time, what processes are in memory; we can kill the applications if we want to, and we can clear up the incident before it becomes too serious.’ Going back to our earlier metaphor, SIEM+EnCase can now close the stable door before the hacking latency expires, while the hacker is still in the stable and before too much damage is done.”

Anthony Di Bello
The objective of malware has moved from weapons of mass disruption, to weapons of ultimate stealth for data theft. Today, attackers want to go unnoticed. And they’ll do anything they can to get past traditional defenses. They’ll try to compromise your users through tainted links on social networking sites, or specially crafted email attachments, and even through infected USB drives. They’ll employ any means they can, and if they’re determined, they won’t stop until they succeed.

The software tools they use today include attack exploit code, Trojans, keystroke loggers, network sniffers, bots – whatever works to infiltrate the network and then ex-filtrate the desired data.

"The advanced attack is getting more pervasive. In our engagements and my conversations with peers we are dealing with more organizations that are grappling with international infiltration. Every network we monitor, every large customer, has some kind of customized malware infiltrating data somewhere. I imagine anybody in the global 2,500 has this problem.”

Consider that quote again for a second: “Every network we monitor, every large customer, has some kind of customized malware infiltrating data somewhere.”
Obviously, the goal of the malware is to slither past anti-malware defenses, and too often the attackers are successful.

This is why the ability to quickly detect and respond to infiltrations is more crucial than ever for an effective IT security program. And that makes digital forensics software central to those efforts. By being able to quickly determine the nature and cause of an incident, forensics software can be used to stop future incidents through the increased visibility into the network it provides.

This is where EnCase® Cybersecurity shines. EnCase® Cybersecurity offers enterprises a way to obtain actionable endpoint data related to an event before that data has a chance to decay or disappear from the affected endpoint altogether. EnCase® Cybersecurity can easily be integrated with an alerting solution or SIEM of choice (such as ArcSight ESM) to enable real-time visibility into relevant endpoint data the moment an alert or event is generated. This ensures security teams have instant access to information such as hidden processes running at the time the alert was generated, ports that were open at the time and more. The ability to see the entire picture in regards to what was occurring on an endpoint – at a specific moment in time – allows for a far more accurate incident impact analysis and a way to gain visibility into any given threat. Having a clear view into that moment in time leads to faster incident resolution rather than chasing cold trails.